Multiple application-layer technologies exist to prevent exploitation of stack-overflow conditions. A paper describing a number of new weaknesses in these technologies has been recently published. The weakness described in this report is the lack of protection for saved base pointers. Affected by this weakness are programs compiled with StackGuard and StackShield. This may have a number of resultant issues. When the calling function references it's local variables and arguments, it will do so based on the base pointer. Depending on what operations are performed, this may allow for attackers to write any data to any location in memory. StackGuard 2.0.1 uses a fixed-value canary. The combination of the ability to corrupt the saved base pointer and the canary being a fixed value may allow for buffer-overflow protection to be evaded. If an attacker were able to somehow embed the fixed-value canary and return address in memory, and then replace the saved base pointer with an address...
Multiple application-layer technologies exist to prevent exploitation of stack-overflow conditions. A paper describing a number of new weaknesses in these technologies has been recently published. The weakness described in this report is the lack of protection for saved base pointers. Affected by this weakness are programs compiled with StackGuard and StackShield. This may have a number of resultant issues. When the calling function references it's local variables and arguments, it will do so based on the base pointer. Depending on what operations are performed, this may allow for attackers to write any data to any location in memory. StackGuard 2.0.1 uses a fixed-value canary. The combination of the ability to corrupt the saved base pointer and the canary being a fixed value may allow for buffer-overflow protection to be evaded. If an attacker were able to somehow embed the fixed-value canary and return address in memory, and then replace the saved base pointer with an address appropriately offset from that of the canary/return address, the StackGuard check would pass and allow return into shellcode.
